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ABSTRACT 



Francois Morain, Jorge Ohvos, "Speeding Up the Compu- 
tations on an Elliptic Curve Using Addition-Subtraction 



A method of generating and verifying a digital signature by 
selecting an elHptic curve; selecting a point G; generating x 
and M; reducing x; generating a base tau expansion, in 
non-adjacent form, of the reduced x; multiplying G by the 
expansion; computing h=Hash(M); generating k; reducing 
k; generating a base tau expansion, in non-adjacent form, of 
the reduced k; multiplying G by the expansion of k to form 
K-(K^Ky); computing R-(K^ mod q); returning to the step 
of generating k if R«0, otherwise computing S=(k"-l)(h+ 
xR); returning to the step of generating k if S=0, otherwise 
transmitting y, q, M, R, and S; receiving y, q, M, R, and S; 
proceeding with the next step if 0<R<q and 0<S<q, other- 
wise not verifying the digital signature and stopping; form- 
ing b-Hash(M); computing f-((S'-l) mod q), b-(hf mod q), 
and t=(Rf mod q); reducing b and t; generating a base tau 
expansion, in non- adjacent form, of the reduced b; multi- 
plies G by the result of the last step to form a point B; 
reduces t; generates a base tau expansion, in non-adjacent 
form, of the reduced b and t; multiplying G by the expansion 
of t; computing V-B+T, where V-(V^,V^); computing 
v=(V^ mod q); and verifying the digital signature if v=R, 
otherwise not verifying the digital signature. 

30 Claims, 15 Drawing Sheets 
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USER A PICKS AN ELLIPTIC CURVE AND A BASE 
POINT G ON THE ELLIPTIC CURVE 
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USER A GENERATES A SIGNATURE KEY x AND A MESSAGE M 
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USER A REDUCES x AND GENERATES A TAU-ADIC 
EXPANSION OF REDUCED x IN NON-ADJACENT FORM 





USER A MULTIPLIES G BY THE TAU-ADIC EXPANSION OF 
REDUCED X TO FORM A POINT y ON THE ELLIPTIC CURVE 



USER A FORMS A HASH h OF THE MESSAGE 



USER A GENERATES A PRIVATE INTEGER k, REDUCES k, 
AND GENERATES A TAU-ADIC EXPANSION OF REDUCED 
k IN NON- ADJACENT FORM 



USER A MULTIPLIES G BY THE TAU-ADIC EXPANSION OF 
REDUCED k TO FORM A POINT K ON THE ELLIPTIC CURVE 
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USER A COMPUTES R=Kx mod q, IF R=0 THEN RETURN 
TO STEP 6, OTHERWISE DO THE NEXT STEP 
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USER A COMPUTES S=(k^l)(h+xR), IF S=0 THEN RETURN 
TO STEP 6, OTHERWISE DO THE NEXT STEP 
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USER A TRANSMITS y. q, M, R, AND S TO USER B 
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SET n = ;i^ + (-l)^"''yi;2 + 2>2^ 
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SET 



32 



SET d = la-j^x)/n)\ 
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SET 



w - x-j^c + lj^d 
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SET . / 

z = -j2C-j^d'-i-l) j^d 
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RETURN w and z 
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SETi=0 
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IF w IS EVEN THEN SET x. = 0 
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SET w = w - X. 
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IS w=0 and z=0? 
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RETURN 
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COMPUTE 3; = x G 
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SET 

w = k-j^c + 2j2d 
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RETURN w and z 
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SETi=0 
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IF w IS EVEN THEN SET k- = 0 

OTHERWISE SET 

k. = 1 -2[((>v- 1 +2z)/2)mod2] 



SET w = w - k- 
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SET temp=w 
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IS w=0 and z=0? 



NO 
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RETURN 



FIG. 7 



07/29/2003, EAST Version: 1.04.0000 



U.S. Patent jim. 5,2001 sheet 8 of 15 



us 6,243,467 Bl 





COMPUTE K = kp 










CI 

SETi=i-l — 








SET K = 



80 



IF 








THEN SET 


K 


= K-^G 


IF it. = -I 






THEN SET 


K 


= K-G 




83 



FIG. 8 



07/29/2003, EAST Version: 1.04.0000 



U.S. Patent 



Jun. 5, 2001 Sheet 9 of 15 



US 6,243,467 Bl 



88 f 



USER B RECEIVES y, q, M, R, AND S FROM USER A 



89 



IF 0<R<q AND 0<S<q THEN CONTINUE, OTHERWISE STOP 
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USER B FORMS THE HASH h OF M 
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USER B COMPUTES f=S'^l mod q 
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USER B COMPUTES b=hf mod q AND t=Rf mod q 
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USER B REDUCES b AND GENERATBS A TAU-ADIC 
EXPANSION FOR REDUCED b IN NON- ADJACENT FORM 
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USER B MULTIPLIES G BY THE TAU-ADIC EXPANSION OF 
REDUCED b TO FORM THE POINT B ON THE CURVE 
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USER B REDUCES t AND GENERATES A TAU-ADIC 
EXPANSION FOR REDUCED t IN NON- ADJACENT FORM 
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USER B MULTIPLIES G BY THE TAU-ADIC EXPANSION OF 
REDUCED t TO FORM THE POINT T ON THE CURVE 
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USER B COMPUTES THE POINT V=B+T, WHERE V=(Vx, Vy) 
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USER B COMPUTES v=Vx mod q 



IF v=:R THEN THE DIGITAL SIGNATURE IS VERIFIED, 
OTHERWISE THE DIGITAL SIGNATURE IS NOT VERIFIED 
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SETi=0 
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METHOD OF ELLIPTIC CURVE 
CRYPTOGRAPHIC DIGITAL SIGNATURE 
GENERATION AND VERIFICATION USING 
REDUCED BASE TAU EXPANSION IN 
NON-ADJACENT FORM 

FIELD OF THE INVENTION 

This invention relates to cryptography and, more 
particularly, to the generation and verification of a discrete 
logarithm based digital signature on an elliptic curve using 
a reduced base tau expansion in non-adjacent form. 

BACKGROUND OF THE INVENTION 

The field of cryptography has spawned numerous devices 
and methods such as scramblers, symmetiic-key encryptors, 
and pubhc-key encryptors. 

A scrambler is a device that receives an unencrypted 
message (i.e., plaintext) and produces an encrypted message 
(le., ciphertext). The encryptioD function of a scrambler is 
fixed in hardware and does not change from message to 
message. One of the problems with a scrambler is that the 
same plaintext will produce the same ciphertext. An adver- 
sary may collect ciphertext messages from a particular 
scrambler and compare them against each other in order to 
analyze a particular ciphertext message. To overcome this 
problem, the users may change the function of the scrambler 
periodically. Such a solution is time consuming and expen- 
sive. 

Another solution to the problem associated with a scram- 
bler is symmetric-key encryption. Asymmetric-key encryp- 
tor has two inputs (i.e., plaintext and a cryptographic key). 
A cryptographic key is a message, or number, that should 
appear random to an adversary. Asymmetric-key encryptor 
combines the cryptographic key with the plaintext using a 
scrambling function in order to generate ciphertext. The 
same plaintext may produce different ciphertext if the cryp- 
tographic key is changed. Since the cryptographic key is a 
message, or a number, it is much easier to change than the 
function of the scrambler which is built into hardware. In 
fact, the cryptographic key may be changed on a message to 
message basis without much difficulty. This method is called 
symmetric-key encryption because the intended recipient 
must possess the cryptographic key used to generate the 
ciphertext in order to recover the plaintext. The intended 
recipient must also possess a function that performs the 
inverse of the scrambling function used to generate the 
ciphertext. Typically, the inverse of the scrambling function 
may be the achieved by operating the scrambling function in 
reverse. If this is the case, the intended recipient must 
possess the same cryptographic key and the scrambling 
function used to generate the ciphertext in order to recover 
the plaintext. 

Even though symmetric-key encryptors make the fastest 
encryptors they suffer from a few problems. The first prob- 
lem is distributing cryptographic keys to authorized users in 
a secure fashion. A courier may be required to deliver the 
first cryptographic key to the users. This is time consmning 
and expensive. The second problem is knowing whether or 
not ciphertext came from a particular person. Anyone know- 
ing the cryptographic key may encrypt or decrypt a message 
produced using a symmetric-key encryptor as long as they 
know the cryptographic key, the scrambling function, and 
the dcscrambling function. 

U.S. Pat. No. 4,200,770, entiUed "CRYPTOGRAPHIC 
APPARATUS AND METHOD/' discloses a device for and 
method of performing a cryptographic key exchange over a 
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public channel. The method is often called a public-key key 
exchange method or the Diffie-Hellman key exchange 
method after the first two named inventors of U.S. Pat. No. 
4,200,770. The Diffie-Hellman key exchange method uses 

5 the exponentiation function to allow two users to conceal 
and transmit their secret information to the other xiser. The 
users then combine what they received with their secret 
information in order to generate the same cryptographic key. 
To recover the secret information that was transmitted and 
construct the cryptographic key, an adversary would have to 
find the logarithm of what was transmitted. If the values 
involved are large enough the logarithm, or discrete log, 
problem is believed to be intractable. U.S. Pat. No. 4,200, 
770 is hereby incorporated by reference into the specifica- 
tion of the present invention. The Diffie-Hellman key 
exchange method offers a solution to the symmetric-key key 
distribution problem, but it does not solve the problem of 
verifying the identity of the sender of the ciphertext. 
Asymmetric-key, or public-key, encryption was proposed 

2Q as a solution to identifying the sender of the ciphertext. This 
problem is often referred to as being able to provide, and 
verify, a digital signature. Two different, but mathematically 
related, cryptographic keys are used in asymmetric-key, or 
pubhc-key, encryption. Typically, a first, or secret, key is 

25 used to generate ciphertext while a second, or public, key is 
used to recover the plaintext. Each user possesses their own 
secret key and mathematically related public key. Each user 
keeps their secret key secret and makes their public key 
pubhc. A first user may now generate ciphertext using their 

3Q secret key and a second user may recover the corresponding 
plaintext using the corresponding public key. If the first user 
is the only person who knows the first user's secret key then 
the second user is assured that the ciphertext came from the 
first user. 

35 In the example just given, anyone knowing the first user's 
pubhc key, which is everyone, could recover the correspond- 
ing plaintext. If two users wish to comm\micate securely 
with some assurance that the message is from a particular 
person, the first user would encrypt the plaintext using the 

40 first user^s secret key then the intended recipient's public 
key to encrypt the ciphertext and something to identify the 
first user. The recipient would then use their secret key to 
recover the ciphertext and the identification material. The 
identification material is then used to identify the public key 

45 of the first user. The first user's pubfic key is then used to 
recover the plaintext. If the first user is the only one who 
know's the first user's secret key and the intended recipient 
is the only one who knows the recipient's secret key then the 
recipient is the only one who can recover the plaintext and 

50 is assured that the ciphertext came from the first user. 

U.S. Pat. No. 4,405,829, entitled "CRYPTOGRAPHIC 
COMMUNICATIONS SYSTEM AND METHOD,^' dis- 
closes one type of pubhc-key encryption device and method 
known as RSA after the three names inventors Messrs. 

55 Rivest, Shamir, and Adleman. Although RSA uses 
exponentiation, an adversary is required to factor the product 
of two prime numbers used to generate the secret key from 
the chosen public key in order to recover plaintext. If the 
prime numbers arc large enough, it is believed that the 

60 factoring problem is intractable. U.S. Pat. No. 4,405,829 is 
hereby incorporated into the specification of the present 
invention. 

Taher ElGamal developed a public-key digital signature 
scheme based on the extended EucUdean algorithm. In this 
65 scheme, a first user generates a secret value x as the first 
user's secret key. The first user uses exponentiation to 
conceal the secret key and pubhshes the result (i.e., y^g'^x 
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mod p) as the first user's public key. The first user then 
generates a random number k and uses exponentiation to 
conceal the random number (ix., r=g"k mod p). The result 
r is one of two values that will be used as a signature for a 
message m from the first user. Next, the first user generates 5 
an equation that includes the message m, the secret key x, 
the random number k, the first half of the signature r, and a 
variable that represents the second half of the signature s 
(i.e., m=xa+ks (mod p-1)). The first user then solves the 
equation for s and transmits the message, the public key, and lO 
the two halves of the signature (i.e., r,s) to the recipient. The 
recipient, knowing p and g, checks to see if (y^r)(r"s) mod 
p-sg'm mod p. If so, the recipient is assiued that the 
transmission came from the first user. 

The math associated with the ElGamars digital signature 15 
scheme is complex and the digital signature is rather long. 
U.S. Pal. No. 4,995,082, entitled "METHOD FOR IDEN- 
TIFYING SUBSCRIBERS AND FOR GENERATING 
AND VERIFYING ELECTRONIC SIGNATURES IN A 
DATA EXCHANGE SYSTEM," discloses a method of 20 
generating a shorter digital signature in a secure manner that 
using different and less complex mathematics. U.S. Pat, No. 
4,995,082 is hereby incorporated by reference into the 
specification of the present invention. 

U.S. Pat. No. 5,231,668, entitled "DIGITAL SIGNA- 
TURE ALGORITHM," improves upon the digital signature 
of ElGamal by reducing the size of the digital signature but 
maintaining liie mathematical complexity. U.S. Pat. No. 
5,231,668 is- hereby incorporated by reference into the 
specification of the present invention. 

U.S. Pat. No. 5,497,423, enUlled "METHOD OF IMPLE- 
MENTING ELLIPTIC CURVE CRYPTOSYSTEMS IN 
DIGITAL SIGNATURES OR VERIFICATION AND PRI- 
VACY COMMUNICAHON"; U.S. Pal. No. 5,581,616, 
entitled "METHOD AND APPARATUS FOR DIGITAL 
SIGNATURE AUTHENTICAHON"; U.S. Pat. No. 5,600, 
725, entitled "DIGITAL' SIGNATURE METHOD AND 
KEY AGREEMENT METHOD"; U.S. Pat. No. 5,604,805, 
entitled "PRTVACY-PROTECTED TRANSFER OF ELEC- 
TRONIC INFORMATION"; U.S. Pat. No. 5,606,617, 
entitled "SECRET-KEY CERTIHCATES": and U.S. Pat. 
No. 5,761,305, entitled "KEY-AGREEMENT AND 
TRANSPORT PROTOCOL WITH IMPLICIT 
SIGNATURES," disclose either an elliptic curve version of 
the above -identified digital signature schemes or a different 
digital signature scheme. None of these elliptic curve digital 
signature schemes disclose a method of generating and 
verifying a digital signature such that the number of elliptic 
curve operations is minimizes as does the present invention. 

The cryptographic strength of any method based on tbe 
Digital Signature Algorithm is based on the apparent intrac- 
tability of finding a discrete logarithm, or discrete log, under 
certain conditions. In order for an adversary to recover 
concealed information, the adversary must be able to per- 
form the inverse of exponentiation (i.e., a logarithm). There 
are mathematical methods for finding a discrete logarithm 
(e.g., the Number Field Sieve), but these algorithms cannot 
be done in any reasonable time using sophisticated comput- 
ers if certain conditions are met during the construction of a 
transmission that conceals information (e.g., the numbers 
involved are large enough). 

More precisely, the cryptographic strength of the Digital 
Signature Algorithm is based on the difficulty of computing 
discrete logs in a finite cyclic group. MathematicaUy, the 
discrete log problem is as follows. Let G be a finite cyclic 
group of order q, where g is a generator of G. Let r be a 
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secret number such that 0<r<q, Given G, q, g, and g\ where 
denotes exponentiation, find r, where r is the discrete 
logarithm, or discrete log, of g"r. The discrete log problem 
is to find r. 

In a Dififie-HeUman key exchange, two users (e.g., User A 
and User B) agree on a common G, g, and q. In practice, the 
most oommoQ choice for G is the integers mod n, where n 
is an integer. 

Large digital signatures pose problems not only for the 
adversary but also for the users. Large digital signatures 
require large amounts of computational power and require 
large amounts of time in order to generate and use the digital 
signature. Cryptographers are always looking for ways to 
qiiickly generate the shortest digital signatures possible that 
meet the cryptographic strength required to protect the 
digital signature. The payoff for finding such a method is that 
cryptography can be done faster, cheaper, and in devices that 
do not have large amounts of computational power (e.g., 
hand-held smart-cards). 

The choice of the group G is critical in a cryptographic 
system. The discrete log problem may be more difficult in 
one group and, therefore, cryptographically stronger than in 
another group, allowing the use of smaller parameters but 
maintaining the same level of security. Working with small 
munbers is easier than working with large numbers. Small 
numbers allow the cryptographic system to be higher per- 
forming (i.e., faster) and requires less storage. So, by choos- 
ing the right group, a user may be able to work with smaller 
numbers, make a faster cryptographic system, and get the 
same, or better, cryptographic strength than from another 
cryptographic system that uses larger numbers. 

The classical choice for G in a digital signature scheme 
are integers mod where n is an integer as well. In 1985, 
Victor MOler and Neal Koblitz each suggested choosing G 
from elliptic curves. It is conjectured that choosing such a G 
allows the use of much smaller parameters, yet the discrete 
log problem using these groups is as difficult, or more 
difficult, than integer-based discrete log problems using 
larger numbers. This allows the users to generate a digital 
signature that has the same, or better, cryptographic strength 
as a digital signature generated from an integer G and is 
shorter than the integer-based digital signature. Since shorter 
digital signatures are easier to deal with, a cryptographic 
system based on a shorter digital signature may be faster, 
cheaper, and implemented in computationally-restricted 
devices. So, an elliptic curve Digital Signature Algorithm is 
an improvement over an integer-based Digital Signature 
Algorithm. 

More precisely, an elliptic curve is defined over a field F. 
An elliptic curve is the set of all ordered pairs (x,y) that 
satisfy a particular cubic equation over a field F, where x and 
y are each members of the field F. Each ordered pair is called 
a point on the elliptic curve. In addition to these points, there 
is another point 0 called the point at infinity. The infinity 
point is the additive identity (i.e., the infinity point plus any 
other point results in that other point). For cryptographic 
purposes, elliptic curves are typically chosen with F as the 
integers mod p for some large prime number p (i.e., F^) or 
as the field of 2'm elements (i.e., F^m). 

Multiplication or, more precisely, scalar multiplication is 
the dominant operation in elliptic curve cryptography. The 
speed at which multiplication can be done determines the 
performance of an elhptic curve method. 
65 Multiplication of a point P on an elliptic curve by an 
integer k may be realized by a series of additions (i.e., 
kP=P+P+ . . . +P, where the number of Ps is equal to k). This 
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is very easy to implement in hardware since only an elliptic expansion are non-zero (i.e., two Is, irrespective of polarity, 

adder is required, but it is very inefficient. That is, the may not be next to each other). Such a signed binary 

number of operations is equal to k which may be very large. expansion is called a non- adjacent form (NAF) of a signed 

The classical approach to eUiptic curve multiplication is a binary expansion. It has been shown that a NAF signed 

double and add approach. For example, if a user wishes to 5 binary expansion is unique (i.c., each mteger has only one 

realize kP, where k-25 then 25 is first represented as a binary NAF signed bmary expansion) and contams the mmimum 

expansion of 25. That is, 25 is represented as a binary number of Is, irrespecUve of polanty. By minimizing the Is, 

number 11001. Next, P is doubled a number of times equal the number of additions is mmimized. The unprovement 

to the number of bits in the binary expansion minus 1. For proposed by Messrs. Morain and Olivos still requires m 

ease in generating an equation of the number of operations, lO doubles but only requires an average of m/3 additions for a 

the number of doubles is taken as m rather than m-1. The total of 4m/3 elhptic curve operations. This is less than the 

price for simplicity here is being off by 1. In this example, 3m/2 elliptic curve operations required by the classical 

the doubles are 2P, 4P, 8P, and 16P. The doubles correspond double and add method described above, 

to the bit locations in the binary expansion of 25 (i.e.. In an article entitled "CM-Cuives With Good Crypto- 

11001), except for the Is bit. The doubles that correspond to 15 graphic Properties", authored by Neal Koblitz, published in 

bit locations that are is are then added along with P if the is Crypto '91, 1991, pp. 279-287, the author discloses an 

bit is a 1. The number of adds equals the number of Is in the improvement to the double/add/subtract method mentioned 

binary expansion. In this example, there are three additions above by working in a particular family of elliptic curves 

since there are three Is in the binary expansion of 25 (i.e., (i.e., Koblitz Curves). Koblitz Curves are characteristic 2 

11001). So, 25P=16P-t-8P+P. 20 curves of the form 

On average, there are m/2 Is in k. This results ill m E^:y'7,xy-x^M^^hb, wheie -a" and "b" are members of F,. 
doubles and m/2 additions for a total of 3m/2 operations. 

Since the number of bits in k is always less than the value xhe group on which the key agreement is based is the 

of k, the double and add approach requires fewer operations ^ group of F2m-rational points on E^, which is chosen to have 

than does the addition method described above. Therefore, a low complexity normal basis. To operate on such curves, 

the double and add approach is more efficient (i.e., faster) the multiplier k is expanded in powers of a complex number 

than the addition approach. as follows: 

While working on an elliptic curve allows smaller param- 
eters relative to a modular arithmetic based system offering "^-((-l) «+((-'') 0-5))/2. . 

the same security, some of the efficiency advantage of The expansion is referred to as a base tau expansion. Similar 

smaller parameters is offset by the added complexity of to the binary expansions, the base tau expansion requires the 

doing arithmetic on an elHptic curve as opposed to ordinary ^^^-^^^ ^ ^^^^^^ ^ ^^^^ ^erm in the expansion and an add 

modular arithmetic. For purposes of determmmg efficiency, ^^^^ non-zero term in the expansion. Aproperty of these 

elliptic doubles and elliptic additions are often grouped and 3^ ^^^^^ nomdl basis representation is that the analog of 

considered elliptic operations. To gain even more efficiency doubUng can be performed by a circular shift of bits and is, 

advantages by going to elUptic curves, cryptographers seek effectively, free. U.S. Pat, No. 4,567,600, entitled 

ways to reduce the cost of an eUiptic curve operation, or "METHOD AND APPARATUS FOR MAINTAINING 

reduce the number of elliptic operations required. An elliptic -j^^ PRIVACY OF DIGITAL MESSAGES CONVEYED 
curve method that requires fewer operations, or more effi- ^ gy PUBLIC TRANSMISSION," and U.S. Pat. No. 4,587, 

ciently executable operations, would result in an increase in g27, entitled "COMPUTAHONAL METHOD AND APPA- 

the speed, or performance, of any device that unplements raTUS FOR FINITE FIELD ARITHMETIC," each dis- 

such a method. ^.^^^ method of getting the analog of doubles for free, 

It is no more costly to do elliptic curve subtractions than ^^t neither of these patents disclose the method of the 
it is to do elliptic curve additions. Therefore, a doubles and 45 present invention. U.S. Pat. Nos. 4,567,600 and 4,587,627 

add approach to doing elliptic curve multiplication may be are each hereby incorporated by reference into the specifi- 

modified to include subtraction where appropriate. There are cation of the present invention. A downside of the base tau 

an infinite number of ways to represent an integer as a signed expansion is that it is 2m-bits long for a k that is m-bits long, 

binary expansion. The negative Is in a signed binary expan- Another downside to the base tau expansion is that the rule 
sion indicate subtraction in a double/add/subtract method 50 for getting a minimum number of non-zero terms that was 

while the positive is in the signed binary expansion indicate used in the binary case does not work for the base tau 

addition in the double/add/subtract method. For example, 25 expansion. On average, Vb of the base tau expansion is 

may be represented as an unsigned binary number 11001 non-zero. Since the base tau expansion is 2m-bits long, the 

(i.e., 16+8+1-25) or as one possible signed binary number total number of elliptic curve operations is expected to be 
"1 0-100 r (i.e., 32-8+1-25). S5 (V8)x2m=3m/4. This is less than the 4m/3 elliptic curve 

In an article entitled "Speeding Up The Computations On operations required by the non-adjacent form (NAF) of the 
An Elliptic Curve Using Addition-Subtraction Chains^', double/add/subtract method described above, 
authored by Francois Morain and Jorge Olivos, published in In an article entitled "Efficient Multiplication on Certain 
Theoretical Informatics and Applications, Vol. 24, No. 6, Nonsupersingular ElUptic Curves'*, authored by Willi Meier 
1990, pp. 531-544, the authors disclose an improvement to so and Othmar Staffelbach, published in Crypto '92, 1992, pp. 
the double/add/subtract method mentioned above by placing 333-343, the authors disclose an improvement to the base 
a restriction on the signed binary expansion that results in tau expansion described above, Messrs. Meier and Staff el- 
fewer elliptic additions being required to do an eUiptic curve bach disclose a method of generating a base tau expansion 
multipUcation and, therefore, increase the performance (i.e., that is only m-bits long. They achieve this result by reducing 
speed) of elliptic curve multiplication. Messrs. Morain and 65 k by mod(T:^-l) and multiplying P by the (k mod(-t^-l)). 
Olivos proposed generating a signed binary expansion such One-half of the terms of this reduced base tau expansion is 
that no two adjacent bit locations in the signed binary non-zero. So, the expected number of elliptic curve opera- 
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tioDS for the reduced base tau expansion is mx(V^)=m/2. This 
is less than the 3m/4 cUiptic curve operations required by the 
con- reduced base tau expansion method described above. 

The present invention discloses an discrete log based 
digital signature method on an elliptic curve that requires 5 
fewer elliptic curve operations than the prior art methods 
Usted above. 

SUMMARY OF THE INVENTION 

. It is an object of the present invention to securely generate 
and verify a digital signature. 

It is another object of the present invention to securely 
generate and verify a digital signature based on the discrete 
logarithm problem. 

It is another object of the present invention to securely 
generate and verify a digital signature based on the discrete 
logarithm problem and on an elliptic curve. 

It is another object of the present invention to securely 
generate and verify a digital signature based on the discrete 20 
logarithm problem and on an elliptic curve in a manner that 
minimizes the total number of clUptic curve operations for 
an elUptic curve multiplication. 

Elliptic curve multiplication is the operation that deter- 
mines the efficiency (i.e., speed) of an elliptic curve cryp- ^ 
tographic method such as a digital signature method of the 
present invention. 

Tlic present invention is a method of generating and 
verifying a discrete log based digital signature on an elliptic 
curve in a manner that requires the fewest total number of 
elliptic curve operations for an elliptic curve multiplication 
than any presently known method. The present method uses 
a reduced base tau expansion in non-adjacent form (NAF) 
on a Koblitz Curve to require only m/3-0.33m total number 
of elliptic curve operations for an elliptic curve 
multiphcation, where m is the number of bits in k, and where 
k in the multiplier of an elliptic curve point P (i.e., kP). This 
compares favorably with the repeated addition method 
described above which requires k'-2"m total elUptic curve 
operations for an elliptic curve multiplication, the double 
and add method described above which requires 3m/2-1.5m 
operations, the non-adjacent form binary expansion method 
described above which requires 4m/3'-133m operations, the 
base tau expansion on a KobUtz Curve method described 
above which requires 3m/4-0.75m operations, and the ^ 
reduced base tau expansion on Koblitz Curves described 
above which requires m/2-0.5m operations. Note that the 
steps of the non-adjacent form binary expansion do not 
apply to a base tau expansion. Therefore, the present method 
performs the basic elliptic curve operation with 33% fewer 
operations than the next best method presently known. 

The method of the present involves two parts. The first 
part is for a fiist user (e.g.. User A) to generate a digital 
signature and transmit it to a second user (e.g.. User B). The 
second part is for User B to verify the digital signature. 

In the first digital signature generation step. User A picks 
a characteristic 2 elliptic Koblitz Curve defined as follows: 

where "a" is a member of field F^. The digital signature 
generation is performed over the field F2m, where m is an 
integer. User A also picks a base point G=(G^,G^) on the 
elliptic curve, where G is of order q. 

In the second digital signature generation step, User A 65 
generates a signature key x and a message M, where x and . 
M are integers. 
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In the third digital signature generation step. User A 
reduces x by modulo (x^-1), where t=((-1)'^+((-7)^0.5))/2 
and generates a base tau expansion, in Qon-adjacent form, of 
the reduced x. 

In the fourth digital signature generation step, User A 
multipUes G by the base tau expansion, in non-adjacent 
form, of the reduced x to form the point y on the elliptic 
curve, where y={y^,yy)^ 

In the fifth digital signature generation step, User A forms 
a hash of the message (i.e., h-Hash(M), where Hash is a 
suitable and secure one-way hash function). 

In the sixth digital signature generation step, User A 
generates a private integer k, reduces k modulo (t^-1), and 
generates a base tau expansion, in non-adjacent form, of the 
reduced k. 

In the seventh digital signature generation step. User A 
multiphes G by the base tau expansion, in non-adjacent 
form, of the reduced k to form the point K on the elliptic 
curve, where K=(K^Ky). 

In the eighth digital signature generation step. User A 
computes R=K^ mod q, where the bit stream representing K^ 
is interpreted as an integer. If R-0 then the next step is to 
return to the sixth step described above and proceed from 
there. If R^O then the next step is the ninth step listed below. 

In the ninth digital signature generation step, User A 
computes S=(k"-l)(b+xR), If S=0 then the next step is to 
return to the sixth step described above and proceed from 
there. If S^Q then the next step is the tenth step listed below. 

In the tenth and final digital signature generation step, 
User A transmits y, q, M, R, and S to User B. 

User B performs the following steps in order to verify the 
digital signature (R,S) transmitted by User A. 

In the first digital signature verification step, User B 
receives y, q, M, R, and S from User A. 

In the second digital signature verification step, User B 
checks to see whether or not 0<R<q and 0<S<q. If 0<R<q 
and 0<S<q then proceed to the next step, otherwise stop. If 
processing is stopped then the digital signature received is 
not verified. 

In the third digital signature verification step, User B form 
the hash of M (i.e., h-Hash(M), where Hash is the same hash 
function used by User A). 

In the fourth digital signature verification step, User B 
computes f=(S"-l) mod q. 

In the fifth digital signature verification step, User B 
computes b=hf mod q and t=Rf mod q. 

In the sixth digital signature verification step, User B 
reduces b by modulo (t^-1) and generates a base tau 
expansion, in non-adjacent form, of the reduced b. 

In the seventh digital signature verification step, User B 
multiplies G by the base tau expansion of the reduced b to 
form the point B on the elliptic curve, where B«=(B^, By) 

In the eighth digital signature verification step, User B 
reduces t by modulo (t^-1) and generates a base tau 
expansion, in non-adjacent form, of the reduced t. 

In the ninth digital signature verification step, User B 
multiplies G by the base tau expansion of the reduced t to 
form the point T on the elliptic curve, where T=(T_^, T^). 

In the tenth digital signature verification step, User B 
computes the point V=B+T on the elUptic curve, where 
V=(V^ Vy). Note that elliptic curve addition is required to 
add elliptic curve points B and T 

In the eleventh digital signature verification step. User B 
computes an integer v«V^ mod q, where the bit string 
representing the coordinate of the poiat V on the elliptic 
curve is inteq)rcted as an integer. 

In the twelfth and last digital signature verification step, 
User B checks to see if v=R. If v=R then the digital signature 
is verified. Otherwise, the digital signature is not verified. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 is a list of steps for generating a digital signature 
in accordance with the present invention; 

FIG. 2 is a list of steps for expressing (^-1) as h+j^^; 

FIG. 3 is a list of steps for reducing a signature key x; 

FIG. 4 is a list of steps for representing the reduced 
signature key of FIG. 3 as a base tau expansion in non- 
adjacent form; 

FIG. 5 is a list of steps for multiplying the point G by the 
reduced signature key represented as a base tau expansion in 
non-adjacent form to form a point y; 

FIG. 6 is a list of steps for reducing a private integer k; 

FIG. 7 is a list of steps for representing the reduced private 
integer of FIG. 6 as a base tau expansion in non- adjacent 
form; 

FIG. 8 is a Ust of steps for multiplying the point G by the 
reduced private integer of FIG. 6 reprcscoted as a base tau 
expansion in non-adjacent form to form a point K; 

FIG. 9 is a list of steps for verifying a digital signature 
generated in accordance with the present invention; 

FIG. 10 is a Ust of steps for reducing an integer b; 

FIG. 11 is a list of the steps for representing the reduced 
integer of FIG. 10 as a base tau expansion in non-adjacent 
form; 

FIG. 12 is a Ust of steps for multiplying the point G by the 
reduced integer of FIG. 10 represented as a base tau expan- 
sion in non-adj acent form to form a point B; 

FIG. 13 is a Ust of steps for reducing an integer t; 

FIG. 14 is a list of steps for representing the reduced 
integer of FIG. 13 as a base tau expansion in non- adjacent 
form; and 

FIG. 15 is a list of steps for multiplying the point y by the 
reduced integer of FIG. 13 represented as a base tau expan- 
sion in non-adj acent form to form a point T. 

DETAILED DESCRIPTION 

Ihe present invention is a method of generating and 
verifying a discrete log based cryptographic digital signature 
on an eUiptic curve in a manner that requires the fewest total 
number of elUptic curve operations for an elliptic curve 
multiplication than any method known presently. The 
present method uses a reduced base tau expansion in non- 
adjacent form (NAF) on an Koblitz Curve to require only 
m/3»'0.33m total number of elUptic curve operations for an 
elliptic curve multiplication, where m is the number of bits 
in k, and where k is the multiplier of an elHptic curve point 
P (i.e., kP). This compares favorably with the repeated 
addition method described above which requires k«2^m total 
elliptic curve operations for an eUiptic curve multiphcation, 
the double and add method described above which requires 
3m/2=1.5m operations, the non-adjacent form binary expan- 
sion method described above which requires 4m/3*«1.33m 
operations, the base tau expansion on a Koblitz Curve 
method described above which requires 3m/4=0.75m 
operations, and the reduced base tau expansion on Koblitz 
Cfurves described above which requires m/2-0.5m opera- 
tions. Note that the steps of the non- adjacent form binary 
expansion do not apply to a base tau expansion. Therefore, 
the present method performs the basic elliptic curve opera- 
tion with 33% fewer operations than the next best method 
presently known. 

FIG. 1 is a Hst of steps for generating a digital signature 
according to the present invention. The first step 1 for 
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generating a digital signature is for a first user (e.g.. User A) 
who wish to send a message that is signed digitally to a 
second user (e.g., User B) to select a characteristic 2 elliptic 
Koblitz Curve defined as follows: 

^ £^.7l+xy-jt'3+«(j«:'7)+l, 

where "a" is a member of field F^. The digital signature 
generation is performed over the field F^m, where m is an 
integer. User A also selects a base point G'=(G^,G^) on the 

10 eUiptic curve, where G is of order q. 

The second step 2 for generating a digital signature is for 
User A to generate a private signature key x and a message 
M, where x and M are both integers. The following steps are 
performed in order to protect the private signature key so 

15 that an adversary may not recover the private signature key 
from information transmitted over a public channel and 
other public information. The elUptic curve analogue to 
integer exponentiation is used to protect the private signa- 
ture key. For an adversary to mathematically recover the 

20 private signature key, the adversary must solve a discrete 
logarithm problem. Such a problem is considered intractable 
if the parameters used to protect the private signature key 
meet certain characteristics (e.g., are long enough etc.). 
Elliptic curve multiplication is mathematically analogous to 

25 integer exponentiation. 

The third step 3 for generating a digital signature is for 
User A to reduce x by modulo (t^-1), where t*=((-1)"+((- 
7)"0.5))/2 and to generate a base tau expansion of the 
reduced x in non- adjacent form. The exact steps of gener- 

30 ating (x mod (if"-l)) and generating a base tau expansion of 
(x mod (t^-1)) are described below and are listed in FIG. 2, 
FIG. 3, and FIG. 4. 

The fourth step 4 for generating a digital signature as 
hsted in FIG. 1 is for User A to multiply the base point G by 

35 the base tau expansion, in non-adjacent form, of the reduced 
X to form a point y on the elliptic curve. The point y is a 
public signature key that corresponds to the private signature 
key X. The exact details of the multiplication are described 
below and are listed in FIG. 5. 

40 The fifth step 5 of generating a digital signature as listed 
in RG. 1 is for User A to for a hash h of the message M (i.e., 
h=Hash(M), where "Hash" is any suitable secure one way 
hash function). A hash function is a function that takes in an 
input of a certain length and puts out a signal based on the 

45 input that is of a shorter length. Examples of suitable 
one-way hash functions include the Secure Hash Algorithm 
(i.e., SHA) and the various versions of Message Digest (e.g., 
MD2, MD4, and MD5). SHA is disclosed in NIST FIPS 
PUB 186, entitled Digital Signature Standard, 

50 The sixth step 6 for generating a digital signamre is for 
User A to generate a private mteger k, reduce k by modulo 
(t^-l), and generate a base tau expansion, in non-adjacent 
form, for the reduced k. The exact steps of generating (k mod 
(xm-1)) and generating a base tau expansion of (k mod 

55 (t^"l)) are described below and are fisted in FIG. 6 and FIG. 
7. Note that the result of FIG. 2 (i.e., expressing (x^-1) as 
Qx+h'^)) is used in FIG. 6. 

Ilie seventh step 7 for generating a digital signature as 
listed in FIG. 1 is for User A to multiply the base tau 

60 expansion, in non-adjacent form, of the reduced k by G to 
form a point K on the eUiptic curve, where K=(K^,Ky). The 
exact details of the multiplication are described below and 
are Usted in FIG. 8. 

The eighth step 8 for generating a digital signature as 

65 listed in FIG. 1 is for User A to compute R«(K3e mod q), 
where K^ is the x-coordinate of the point K generated in the 
seventh step 7 above. If R=0 then the next step is to return 
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to the sixth step 6 above and proceed from there. Otherwise, 
proceed to the ninth step 9 below and proceed from there. 

The ninth step 9 for generating a digital signature is for 
User A to compute S=(k*-l)(h+xR). If S=0 then the next 
step is to return to the sixth step 6 above and proceed from 
there. Otherwise, proceed to the tenth step 10 below. 

Hie tenth and final step 10 for generating a digital 
signature is for User A to transmit y, q, R, and S to User 
B. The digital signature for the message M is the pair (R,S), 
The point y is the public signature key corresponding to User 
A's private signature key and q is the order of the base point 
G. User B must know q in order to perform checks and 
modulo reductions. FIG. 2 lists some of the steps necessary 
to accomplish the portion of the third step 3 listed in FIG. 1 
of reducing x by mod (t^-1). The steps Usted in FIG. 2 
result in expressing (t^-l) in the form of ji+j2T:- The 
expression resulting from the steps listed in FIG. 2 will also 
be used below in the steps listed in FIG. 6, FIG. 10, and FIG. 
13 

The first step 20 listed in FIG. 2 is to set a parameter Lq 
equal to zero. 

The second step 21 listed in FIG. 2 is to set a second 
parameter equal to one. 

The third step 22 listed in FIG. 2 is to set a third parameter 
i equal to two. 

The fourth step 23 listed in FIG. 2 is to change the value 
of the parameter L,- according to the present value of i as 
follows: 

where "a" is the parameter used to described the particular 
elliptic curve selected by User A (i.e., y^+xy-x^+ax^+1). 

The fifth step 24 listed in FIG. 2 is to determine whether 
or not parameter i is equal to m, where m is the integer used 
to define the field F^m of the selected elliptic curve. 

If parameter i is not equal to m then the next step 25 is to 
increment parameter i by one and return to the fourth step 23 
for further processing. 

If parameter i is equal to m then the next step 26 is to set 
ji=-2L._j-l and set j2^=L,-. 

The final step 27 listed in FIG. 2 is to return jj and j^. Note 
that and ]^ will also be used in the steps listed below in 
FIG. 6, FIG. 10, and FIG. 13. 

FIG. 3 lists the remaining steps necessary to accomplish 
the portion of the third step 3 listed in FIG. 1 of reducing x 
by mod (x^-l), where (V"-l)Ha+j2't^- 

The first step 30 listed in FIG. 3 is to set n=Gi^)+(-l) 
^""j j2+2j2'2, where ji and jj resulted from the steps listed in 
FIG, 2 above, and where "a" is the parameter used to 
describe the selected elliptic curve. 

The second step 31 listed in FIG. 3 is to set c[=(jiX4<- 
l)^-''j2x)/nj, where "[ J" denotes the ftmction that returns the 
maximum integer not larger than the value contained 
therein. 

The third step 32 listed in FIG. 3 is to set d=[-j2x/nj. 
The fourth step 33 listed in FIG. 3 is to set w^x-jjC+lj^d. 
The fifth step 34 listed in FIG. 3 is to set z=j2C-jid-(- 
l)^-^,d. 

The sixth and last step 35 listed in HG. 3 is to return w 
and z. Note that w+zx represents the modular reduction of 
the private signature key x (i.e., (x mod (Tf"-1))). 

FIG. 4 lists the steps necessary to accomplish the portion 
of the third step 3 listed in FIG. 1 of representing the 
modular reduction of x as a base tau expansion in non- 
adjacent form. 

Tlie first step 40 fisted in FIG. 4 is to set a parameter i 
equal to zero. 
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The second step 41 listed in FIG. 4 is to determine 
whether or not w is even. This second step 41 may be 
returned to as described below. If the second step 41 is 
returned to, w would have a different value than before as 
5 described below. If w is even then set Xi=0, where x, 
represents the bit of the base tau expansion of x in 
non-adjacent form. If w is not even then set X(-=l-2[((w- 
l+2zy2)mod 2]. 

The third step 42 listed in FIG. 4 is to set w=w-x,-. 

The fourth step 43 listed in FIG. 4 is to set a temporary 
variable temp equal to w. 

The fifth step 44 listed in FIG. 4 is lo set w^-l)^-''(temp/ 
2)+z. 

The sixth step 45 listed in FIG. 4 is to set z=(-temp)/2. 

The seventh step 46 listed in FIG. 4 is to determine 
15 whether or not either w or z is not equal to zero. 

If either w or z is not equal to zero then the eighth step 47 
listed in FIG. 4 is to increment the parameter i by one. 

If the parameter i was incremented by one then the next 
after step 47 is to return to the second step 41 fisted in FIG. 
20 4 for further processing. 

If both w and z are equal to zero then the last step 48 listed 
in RG. 4 is to return the base tau expansion of the modular 
reduced x in non-adjacent form (i.e. (x^,x,_i, . . , ,Xo)), 

FIG. 5 lists the steps necessary to accomplish the fourth 
25 step 4 listed in FIG. 1 of multiplying the point G by the base 
tau expansion, in non-adjacent form, of the modular reduced 
X to form a point y on the elliptic curve. The point y is the 
public signature key that corresponds to the private signature 
key X. 

30 The first step 50 listed in FIG. 5 is to compute y-x,G, 

where x,- is the left-most bit of the result of the last step 48 

Usted in FIG. 4, 
The second step 51 fisted in FIG. 5 is to decrement the 

parameter i by one. 
35 The third step 52 listed in FIG, 5 is to set y-ty. This step 

may be accomplished by a shift of y. 

The fourth step 53 fisted in FIG. 5 is to determine if x,- is 

equal to one or minus one. If x^ is equal to one then set 

y-y+G. If Xj is equal to minus one set y-y-G. 
40 The fifth step 54 listed in FIG. 5 is to determine whether 

or not the parameter i is equal to zero. If the parameter i is 

equal to zero then the next step is to return to the second step 

51 listed in FIG. 5 for further processing. If the parameter i 

is equal to zero then the next and last step 55 Listed in FIG. 
45 5 is to return y. 

FIG. 6 lists the steps necessary to accomplish the portion 

of the sixth step 6 listed in FIG. 1 of reducing k by mod 

(x^-1), where (T:^-l)=ji+j2T:- 
The first step 60 listed in FIG. 6 is to set n=(ji^)+(-l) 
50 ^'''j j2+2j2"2, where j j and jj resulted from the steps fisted in 

FIG. 2 above, and where "a" is one of the parameters used 

to describe the selected elliptic curve. 
The second step 61 listed in FIG. 6 is to set c=>[(jik-t-(- 

l)^"''j2k)/nj, where "[ J** denotes the function that returns the 
55 maximum integer not larger than the value contained 

therein. 

The third step 62 fisted i n FIG. 6 is to set d=[-j2k/nj. 
The fourth step 63 fisted in FIG. 6 i s to set w^k-j^c+ljjd. 
The fifth step 64 listed in FIG. 6 is to set z«-j2C-jid-(- 
60 ly-'Jzd, 

The sixth and last step 65 listed in FIG. 6 is to return w 
and z. Note that w+zx represents the modular reduction of 
the private integer k (i.e., (k mod (x^-1))). 

FIG. 7 fists the steps necessary to accomplish the portion 
65 of the sixth step 6 listed in FIG. 1 of representing the 
modular reduction of k as a base tau expansion in non- 
adjacent form. 
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The first step 70 listed in FIG. 7 is to set a parameter i The fifth step 92 listed in FIG. 9 for verifying a digital 

equal to zero. signature is for User B to compute b=(hf mod q) and t=(Rf 

The second step 71 listed in FIG. 7 is to determine mod q). 

whether or not w is even. This second step 71 may be The sixth step 93 listed in FIG. 9 for verifying a digital 

returned to as described below. If the second step 71 is 5 signature is for User B to reduce b computed in the fifth step 

returned to, w would have a different value than before as 92 listed in FIG. 9 by modulo (t™-l), where x=((-l)''+((- 

described below. If w is even then set k-0 where 7)"0.5))/2 and generating a base tau expansion of the 

represents the i*^ bit of the base tau expansion of k in reduced b in non-adjacent form. The exact steps for gener- 

non-adjacent form. If w is not even then set k,=l-2[((w- mod (x""-!)) and generating a base tau expansion of 

l+2z)/2)rD0d 2J. * 1 10 (b mod (t"-1)) are described below and are listed in FIG. 10 

The third step 72 listed m FIG. 7 is to set w=w-k,.. ^ , ^ 

The fourth step 73 listed in FIG. 7 is to set a temporary ^™ * \ , nA v . ^ • T^jr^ at -c, ■ j- 1 

variable temp equal to w. ^ ^ Tte seventh s ep 94 listed in FIG. 9 for venfymg a digital 

Hie fifth step 74 Usted in FIG. 7 is to set w=(-iy-(temp/ ^^S'^^^ure is for User B to m^tiply the base pomt G by the 

2^^2 expansion, m non-adjacent form, of the reduced b 

The sixth step 75 listed in FIG. 7 is to set z-(-temp)/2. 15 to form a point B on the elliptic curve. The exact details of 

The seventh step 76 listed in FIG. 7 is to determine the multiplication are described below and are listed in FIG. 

whether or not either w or z is not equal to zero. 12. 

If either w or z is not equal to zero then the eighth step 77 The eighth step 95 listed in FIG, 9 for verifying a digital 

listed in FIG. 7 is to increment the parameter i by one. signature is for User B to reduce t computed in the fifth step 

If the parameter i was incremented by one then the next 20 92 listed in FIG. 9 by modulo (t^-1), where x=((-l)''+((- 

after step 77 is to return to the second step 71 listed in FIG. 7)"0.5))/2 and generating a base tau expansion of the 

7 for further processing. reduced t in non- adjacent form. The exact steps for gener- 
If both w and z are equal to zero then the last step 78 listed ating (t mod (t^-l)) and generating a tau-adic expansion of 

in FIG. 7 is to return the base tau expansion of the modular (t mod (r^-l)) are described below and are listed in FIG. 13 

reduced k in non-adjacent form (i.e., (k^Xi-u ■ • • ^))* ^ F^^* 1^- 

FIG. 8 lists the steps necessary to accomplish the seventh The ninth step 96 listed in FIG. 9 for verifying a digital 

step 7 listed in FIG. 1 of multiplying the point G by the base signature is for User B to multiply the base point G by the 

tau expansion, in non- adjacent form, of the modular reduced base tau expansion, in non-adjacent form, of the reduced t to 

k to form a point K on the elliptic curve, where K-(K^Ky) form a point T on the elliptic curve. The exact details of the 

The first step 80 listed in FIG. 8 is to compute K-k,G, 30 multiplication are described below and are listed in FIG. 15. 

where k, is the left-most bit of the result of the last step 78 The tenth step 97 listed in FIG. 9 for verifying a digital 

hsted in FIG. 7. signature is for User B to compute the point V-B+T on the 

The second step 81 listed in FIG. 8 is to decrement the elliptic curve, where V-(V^,V^). 

parameter i by one. The eleventh step 98 listed in FIG. 9 for verifying a digital 

The third step 82 listed in FIG. 8 is to set K-tK, This step 35 signature is for User B to compute v-(V^ mod q), where V^^ 

may be accomplished by a shift of K. is the x-ooordinate of the point V. 

The fourth step 83 listed in FIG. 8 is to determine if k, is The twelfth and last step 99 listed in FIG. 9 for verifying 

equal to one or minus one. If k^ is equal to one then set a digital signature is for User B to determine whether or not 

K-K+G. If k^ is equal to minus one set K-K-G. v-R. If v-R then the digital signature is verified. Otherwise, 

The fifth step 84 listed in FIG. 8 is to determine whether 40 the digital signature is not verified, 

or not the parameter i is equal to zero. If the parameter i is FIG. 10 Usts the steps necessary to accomplish the portion 

equal to zero then the next step is to return to the second step of the sixth step 93 listed in FIG. 9 of reducing b by mod 

81 listed in nG. 8 for further processing. If the parameter i (x^-l), where (T^-l)=ji+j2'^- 

is equal to zero then the next and last step 85 listed in FIG. The first step 100 listed in FIG. 10 is to set n=(ji"2)+(- 

8 is to return K. 45 iy~''jij2+2j2"2, where jj and j2 resulted from the steps listed 
FIG. 9 lists the step that User B must perform in order to in FIG. 2 above, and where "a" is one of the parameters used 

verify a digital signature transmitted to User B by User A. to describe the selected elliptic curve. 

The first step 88 listed in FIG. 9 for verifying a digital The second step 101 listed in FIG. 10 is to set c=[(jib+ 

signature is for User B to receive parameters y, q, M, R, and (-l)^"''j2b)/nj, where " [ J" denotes the function that returns 

S from a sender (presumably User A, but that is yet to be so the maximum integer not larger than the value contained 

verified), where y is the public signature key of the sender, therein. 

where q is the order of the base point G on the elliptic curve The third step 102 listed in FIG. 10 is to set d=[-j2b/nj. 

selected, where M is a message, and where the pair (R,S) is The fourth step 103 listed in FIG. 10 is to set w=b-jjC+ 

the digital signature of the message M. 2j^d. 

The second step 89 listed in FIG. 9 for verifying a digital ss The fifth step 104 listed in FIG. 10 is to set z=-j2C-j id- 
signature is for User B to determine whether or not 0<R<q {-lY'^j^d, 

and whether or not 0<S<q. If both expressions are true then The sixth and last step 105 listed in FIG. 10 is to return 

User B proceeds to the third step 90 for further processing. w and z. Note that w+zx represents the modular reduction of 

If either expression is false then processing is stopped and k (i.e., (b mod (x'"-l))). 

the digital signature is deemed not verified. 60 FIG. 11 lists the steps necessary to accomplish the portion 
The third step 90 listed in FIG. 9 for verifying a digital of the sixth step 93 listed in FIG. 9 of representing the 
signature is for User B to form the hash of the message M modular reduction of b as a base tau expansion in non- 
received using the identical hash function that the sender adjacent form. 

used to generate S. Note that User A must somehow com- The first step 110 listed in FIG. 11 is to set a parameter i 

municate to User B which hash function User A is using. 65 equal to zero. 

The fourth step 91 listed in FIG. 9 for verifying a digital The second step 111 hsted in FIG, 11 is to determine 

signature is for User B to compute f=((S^-l) mod q), whether or not w is even. This second step 111 may be 
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returned to as described below. If the second step 111 is 
returned to then w would have a different value than before 
as described below. If w is even then set bj.=0, where b,- 
represents the i''' bit of the base tau expansion of b in 
non-adjacent form. If w is not even then set b,-=l-2[((w- 
l+2z)/2)mod 2]. 

The third step 112 listed in FIG. 11 is to set w=w-b,.. 

The fourth step tl3 listed in FIG. 11 is to set a temporary 
variable temp equal to w. 

The fifth step 114 listed in FIG. 11 is to set w=(-l)^-'' 
(temp/2)+z. 

The sixth step 115 listed in FIG. 11 is to set z=(-temp)/2. 

The seventh step 116 listed in FIG. 11 is to determine 
whether or not either w or z is not equal to zero. 

If either w or z is not equal to zero then the eighth step 117 
Usted in FIG. 7 is to increment the parameter i by one. 

If the parameter i was incremented by one then the next 
step after step 117 is to return to the second step 111 listed 
in FIG. 11 for further processing. 

If both w and z are equal to zero then the last step 118 
listed in FIG. 11 is to return the base tau expansion of the 
modular reduced b in non- adjacent form (i.e., (b„ 
b/-!, - . ■ ,bo)). 

FIG. 12 lists the steps necessary to accomplish the seventh 
step 94 Usted in FIG. 9 of multiplying the point G by the 
base tau expansion, in non-adjacent form, of the modular 
reduced b to form a point B on the elliptic curve, where 
B-(B,,B^). 

The first step 120 listed in FIG. 12 is to compute B-b,G, 
where b^. is the left-most bit of the result of the last step 118 
listed in FIG. 11. 

The second step 121 listed in FIG. 12 is to decrement the 
parameter i by one. 

The third step 122 listed in FIG. 12 is to set B-tB. This 
step may be accomplished by a shift of B. 

The fourth step 123 listed in FIG. 12 is to detennine if b,. 
is equal to one or minus one. If b, is equal to one then set 
B-B+G. If b; is equal to minus one set B-B-G. 

The fifth step 124 listed in ITG. 12 is to determine whether 
or not the parameter i is equal to zero. If the parameter i is 
equal to zero then the next step is to return to the second step 
121 listed in FIG. 12 for further processing. If the parameter 
i is equal to zero then the next and last step 125 listed in FIG. 
12 is to return B. 

FIG. 13 lists the steps necessary to accomplish the portion 
of the eighth step 95 listed in FIG. 9 of reducing t by mod 
(t^-1), where i'^'-'^)=h+k'^' 

The first step 130 listed in FIG. 13 is to set d=Oi^)+(- 
l)^"''j j^+2j2"2, where j J and j2 resulted from the steps listed 
in FIG. 2 above, and where "a" is one of the parameters used 
to describe the selected elliptic curve. 

The second step 131 listed in FIG. 13 is to set c=[(jit+ 
(_l)^-^j^t)/nj, where "[ J" denotes the function that returns 
the maximum integer not larger than the value contained 
therein. 

The third step 132 listed in RG. 13 is to set d=[-j2t/nj. 
The fourth step 133 listed in FIG. 13 is to set w=t-jiC+ 
2j,d. 

The fifth step 134 listed in FIG. 13 is to set z=-j2C-jid- 

The sixth and last step 135 listed in FIG. 13 is to return 
w and z. Note that w+zx represents the modular reduction of 
t (i.e., (t mod (x^-1))). 

FIG. 14 lists the steps necessary to accomplish the portion 
of the eighth step 95 listed in FIG. 9 of representing the 
modular reduction of t as a base tau expansion in non- 
adjacent form. 
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The first step 140 listed in FIG. 14 is to set a parameter 
i equal to zero. 

The second step 141 listed in FIG. 14 is to determine 
whether or not w is even. This second step 141 may be 
5 . returned to as described below. If the second step 141 is 
returned to then w would have a different value than before 
as described below. If w is even then set t-=0, where t, 
represents the i^ bit of the base tau expansion of t in 
non-adjacent form. If w is not even then set t,=l-2[((w-l+ 
10 2z)/2)mod2], 

The third step 142 listed in FIG. 14 is to set w=w-t;. 

The fourth step 143 listed in FIG. 14 is to set a temporary 
variable temp equal to w. 

The fifth step 144 listed in FIG. 14 is to set w=(-l)^-'' 
15 (temp/2)+z. 

The sixth step 145 Usted in FIG. 14 is to set z-(-temp)/2. 

The seventh step 146 listed in FIG. 14 is to determine 
whether or not either w or z is not equal to zero. 

If either w or z is not equal to zero then the eighth step 147 
20 listed in FIG. 14 is to increment the parameter i by one. 

If the parameter i was incremented by one then the next 
step after step 147 is to return to the second step 141 listed 
in FIG. 14 for ftirther processing. 

If both w and z are equal to zero then the last step 148 
25 listed in FIG. 14 is to retum the base tau expansion of the 
modular reduced t in non-adjacent form (i.e., (t^, 
t.--i, . . . ,to)). 

FIG. 15 Usts the steps necessary to accompUsh the ninth 
step 96 listed in FIG. 9 of multiplying the point G by the 
30 base tau expansion, in non-adjacent form, of the modular 
reduced l to form a point T on the elliptic curve, where 
T-(T,,T^). 

The first step 150 listed in FIG. 15 is to compute T=t;G, 
where t, is the left-most bit of the result of the last step 148 
35 listed in FIG. 14. 

The second step 151 listed in FIG. 15 is to decrement the 
parameter i by one. 

The third step 152 listed in FIG. 15 is to set T=^. This 
step may be accomplished by a shift of T. 
40 The fourth step 153 listed in FIG. 15 is to determine if t, 
is equal to one or minus one. If is equal to one then set 
T=T+G. If t^ is equal to minus one set T=T-G. 

The fifth step 154 listed in FIG. 15 is to detennine whether 
or not the parameter i is equal to zero. If the parameter i is 
45 equal to zero then the next step is to return to the second step 
, 151 listed in FIG. 15 for further processing. If the parameter 
i is equal to zero then the next and last step 155 listed in FIG. 
15 is to retum T. 
What is claimed is: 
50 1. A method of generating a digital signature for trans- 
mission to a recipient, comprising the steps of: 

a) selecting an elliptic curve, where the elUptic curve is of 
the form y^+xy=x^+a(x"2)+l, where "a" is a member of 
a field F2, where the elliptic curve is defined over a field 

55 F2m, and where m is an integer; 

b) selecting a point G on the elliptic curve as a base point, 
where the point G is of order q, and where q is an 
integer; 

c) generating a private signature key x and a message M; 
60 d) reducing x by mod (t^-l) in the form of w+zt; 

e) generating a base tau expansion, in non -adjacent form, 
of the result of step (d); 

f) multiplying G by the result of step (e) to form a point 
y on the elliptic curve; 

65 g) computing h»Hash(M), where "Hash" is a secure 
one-way hash function; 
h) generating a private integer k; 
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i) reducing k by mod (t^-l) id the form of w+zt; 

j) generating a base tau expansion, in oon-adjacent form, 

of the result of step (i); 
k) multiplying G by the result of step Q) to form a point 

K on the elliptic curve, where K-(K^^); ^ 
1) computing R=(Kp mod q); 

m) returning to step (h) if R-0, otherwise proceeding to 

the next step; 
n) computing S=(k'-l)(h+xR); 

o) returning to step (h) if S=0, otherwise proceeding to the 
next step; and 

p) transmitting y, q, M, R, and S to the recipient, where 
the pair (R,S) is the digital signature for the message M. 

2. The method of claim 1, wherein said step of reducing ^5 
X by mod (t^-l) in the form of w+zn; is comprised of the 
steps of: 

a) setting 1^=0; 

b) setting Lj=l; 

c) setting i-2; 

d) setting L-(-l)^-"L,.i-2L,_2; 

e) determining whether or not i=m; 

f) incrementing i by one and returning to step (d) for 
further processing if i?*m in step (e); and 25 

g) setting ji«-2Lj_i-l, setting j2=Lt, and returning jj and 

if i=m in step (e). 

3. The method of claim 2, further comprising the steps of: 

a) setting n=0,^)+(-l)'"''jaj2+2(j2^); 

b) setting c«[(jiX+(-l)^"''j2x)/nJ, where "[ J" denotes a 30 
function of returning the largest integer not larger than 
the value contained therein; 

c) setting d='[-j2X/nJ; 

d) setting w=x-j iC+2j2d; 

e) setting z=-j2C-jid-(-l)^""j2d; and 

f) returning, w and z. 

4 The method of claim 1, wherein said step of generating 
a base tau expansion, in no n- adjacent form, of the result of 
step (d) is comprised of the steps of: ^ 

a) setting i-0; 

b) setting x~0 if w is even, otherwise setting x~l-z[((w- 
l+2z)/2) mod 2]; 

c) setting w=w-Xj.; 

d) setting temp-w; 45 

e) setting (-l)^"'(temp/2)+z; 

f) setting z-(-temp)/2; and 

g) incrementing i by one and returning to step (b) if both 
w and z are not equal to zero, otherwise returning (x,-, 
x,_i, . . . ,Xo) as the base tau expansion, in non- adjacent 
form, of the modular reduced private signature key x. 

5. The method of claim 1, wherein said step of multiply- 
ing G by the result of step (e) is comprised of the steps of: 

a) computing y=x,G; ^5 

b) decrementing i by one; 

c) setting y-ty; 

d) setting y=y+G if x,=l; 

e) setting y=y-G if x,^-!; and 

f) returning to step (b) for further processing if i=0, 60 
otherwise returning y as the product of G and the base 
tau expansion, in non- adjacent form, of the modular 
reduced private signature key x. 

6. The method of claim 1, wherein said step of reducing 

k by mod (t^-l) in the form of w+zt comprised of the steps 55 
of: 

a) setting Lo=0; 
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b) setting Lj^l; 

c) setting i-2; 

d) setting L,=(-1)'-''L,_,-2L,_2; 

e) determining whether or not i=m; 

f) incrementing i by one and returning to step (d) for 
further processing if is^m in step (e); and 

g) setting jiO-2Lj._i-l, setting j2='L;7 and returning j^ and 
)2 if i=m in step (e). 

7. The method of claim 6, further comprising the steps of: 

a) setting n=(ji^)+(-l)'"' j2+2(j2*2); 

b) setting c=»[(jiX+(-l)^~"j2x)/nJ, where "[ J" denotes a 
function of returning the largest integer not larger than 
the value contained therein; 

c) setting d=[-j2x/nj; 

d) setting w=x-jiC+2j2d; 

e) setting z=-j2C-jid-(-l)^"''j2d; and 

f) returning w and z. 

8. The method of claim 1, wherein said step of generating 
a base tau expansion, in non-adjacent form, of the result of 
step (i) is comprised of the steps of: 

a) setting i-0; 

b) setting k,^0 if w is even, otherwise setting k ~1 -z[((w- 
l+2z)/2) mod 2]; 

c) setting w=w-k^; 

d) setting temp=w; 

e) setting w=(-l)^"*°(temp/2)+z; 

f) setting z-(-temp)/2; and 

g) incrementing i by one and returning to step (b) if both 
w and z are not equal to zero, otherwise returning (k,-, 
k,_-t, . . , ,ko) as the base tau expansion, in non-adjacent 
form, of the modular reduced private integer k. 

9. The method of claim 1, wherein said step of multiply- 
ing G by the result of step (j) is comprised of the steps of: 

a) computing K-kiG; 

b) decrementing i by one; 

c) setting K=tK; 

d) setting K=K-^G if k~l; 

e) setting K-K-G if k--l; and 

f) returning to step (b) for further processing if i=0, 
otherwise returning K as the product of G and the base 
tau expansion, in non- adjacent form, of the modular 
reduced private integer k. 

10. The method of claim 3, wherein said step of gener- 
ating abase tau expansion in non-adjacent form, of the result 
of step (d) is comprised of the steps of: 

a) setting i=0; 

b) setting x=0 if w is even, otherwise setting X;«l-z[((w- 
l+2z)/2) mod 2]; 

c) setting w=w-x,; 

d) setting temp-w; 

e) setting w=(-l)^-''(temp/2)+z; 

f) setting z=(-temp)/2; and 

g) incrementing i by one and returning to step (b) if both 
w and z are not equal to zero, otherwise returning (x,-, 
Xi-i, • ■ • jXq) as the base tau expansion, in non-adjacent 
form, of the modular reduced private signature key x. 

11. The method of claim 10, wherein said step of multi- 
plying G by the result of step (e) is comprised of the steps 
of: 

a) computing y^x^G; 

b) decrementing i by one; 

c) setting y«»ty; 

d) setting y=y+G if Xt-=1; 
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e) setting yoy-G if Xf=-1; and 

f) returning to step (b) for further processing if i-0 
otherwise returning y as the product of G and the base 
tau expansion, in no n- adjacent form, of the modular 
reduced private signature key x. 

12. The method of claim 11, wherein said step of reducing 
k by mod (x^-l) in the form of w+zx is comprised of the 
steps of: 

a) setting Lo=0; 

b) setting L^"!; 

c) setting i=2; 

d) setting L-C-iy-^'L^-.i-lL,.^ 

e) determining whether or not i=m; 

f) incrementing i by one and returning to step (d) for 
further processing if i^m in step (e); and 

g) setting jj=-2L,_i-l, setting j2=L,-, and returning jj and 
}2 if i-^m in step (e), 

13. The method of claim 12, further comprising the steps 

of: 

a) setting n=Oa'^)+(-l)''"j ^2+20^^); 

b) setting C'[Q^x+(-iy~%x)/n\, where "[ J" denotes a 
function of returning the largest integer not larger than 
the value contained therein; 

c) setting d-[-j2x/nJ; 

d) setting w=x-jiC+2j2d; 

e) selling z^-jr^c-j-^d-^-lY'^i-^A; and 

f) returning w and z. 

14. The method of claim 13, wherein said step of gener- 
ating a base tau expansion, in non-adjacent form, of the 
result of step (i) is comprised of the steps of: 

a) setting i=0; 

b) setting k,.=0 if wis even, otherwise setting k~l-z[((w- 
l+2z)/2) mod 2]; 

c) setting w=w-k,-; 

d) setting temp-w; 

e) setting w=(-l)^-''(temp/2)+z; 

f) setting z=(-temp)/2; and 

g) incrementing, i by one and returning to step (b) if both 
w and z are not equal to zero, otherwise returning (k,., 
k,_j, . . . ,ko) as the base tau expansion, in non- adjacent 
form, of the modular reduced private integer k. 

15. The method of claim 14, wherein said step of multi- 
plying G by the result of step (j) is comprised of the steps of: 

a) computing K=k,-G; 

b) decrementing i by one; 

c) setting K=tK; 

d) setting K=K+G if k.«l; 

e) setting K=K-G if k~-l; and 

f) returning to step (b) for further processing if i-0, 
otherwise returning K as the product of G and the base 
tau expansion, in non- adjacent form, of the modular 
reduced private integer k. 

16. A method of verifying a digital signature (R,S) for a 
message M, comprising the steps of: - 

a) receiving parameters y, q, M, R, and S; 

b) proceeding with the next step if 0<R<q and 0<S<q, 
otherwise detennining that the digital signature is not 
verified and stopping; 

c) forming h-Hash(M), where "Hash" is a secure one-way 
hash function that is identical to a hash function used to 
generate S; 

d) computing f=((S"-l) mod q); 

e) computing b=»(hf mod q) and t=(Rf mod q); 

f) reducing b by mod (t^-l) in the form of w+zt; 
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g) generating a base tau expansion, in non- adjacent form, 
of the result of step (f); 

h) multiplying G by the result of step (g) to form a point 
B on an elliptic curve used to generate y, R, and S: 

i) reducing t by mod (tf"-!) in the form of w+zt; 

j) generating a base tau expansion, in non- adjacent form, 

of the result of step (i); 
k) multiplying G by the resuU of step (j) to form a point 

T on the elliptic curve, 
1) computing V-B+T, where V-(V^,V^); 
m) computing v=(V^ mod q); and 
n) verifying the digital signature if v«R, otherwise not 

verifying the digital signature. 

17. The method of claim 16, wherein said step of reducing 
b by mod (t^-l) in the form of w+zx is comprised of the 
steps of: 

a) setting Lo=0; 

b) setting L^=l; 

c) setting i-2; 

d) setting L~(-1)'-°L,_,-2L,_2; 

e) determining whether or not i=m; 

f) incrementing i by one and returning to step (d) for 
further processing if if*m in step (e); and 

g) setting ji—2L,-_i-l, setting ja-L,-, and returning j^ and 
ji if i-m in step (e). 

18. The method of claim 17, further comprising the steps 

of: 

a) setting n=(ji^)+(-l)'-''j ^2+202^); 

b) setting c»[(j^b+(-iy-\b)fnl where "[ J" denotes a 
function of returning the largest integer not larger than 
the value contained therein; 

c) setting d=[-j2b/nj; 

d) setting w=b-jiC+2j2d; 

e) setting 2.'-H0-}id-(-lY~''j^d; and 

f) returning w and z. 

19. The method of claim 16, wherein said step of gener- 
ating a base tau expansion, in non-adjacent form, of the 
result of step (f) is comprised of the steps of: 

a) setting i=0; 

b) setting b^^O if w is even, otherwise setting b~l-z[((w- 
l+2z)/2) mod 2]; 

c) setting w=w-bi; 

d) setting temp=w; 

e) setting w=(-l)^"''(temp/2)+z; 

f) setting z=(-temp)/2; and 

g) incrementing i by one and returning to step (b) if both 
w and z are not equal to zero, otherwise returning (b,-, 



b„ b,- 



,bo) as the base tau expansion, in non- 



adjacent form, of the modular reduced b. 

20. The method of claim 16, wherein said step of multi- 
plying G by the result of step (g) is comprised of the steps 
of: 

a) computing B=b^Xj; 

b) decrementing i by one; 

c) setting B=tB; 

d) setting B«B+G if b,.=l; 

e) setting B«B-G if b--l; and 

f) returning to step (b) for further processing if i=0, 
otherwise returning B as the product of G and the base 
tau expansion, in non-adjacent form, of the modular 
reduced b. 

21. The method of claim 16, wherein said step of reducing 
t by mod in the form of w+zx is comprised of the 
steps of: 
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a) setting Lo=0; 

b) setting L^-l; 

c) setting i=2; 

d) setting L-(-iy-''L,,i-2L,_2; 

e) determining whether or not i=ni; 

f) incrementing i by one and returning to step (d) for 
further processing if i^m in step (e); and 

g) setting ji—2L,_i-l, setting i^-Li, and returning ji and 
}2 if i«=ni in step (e). 

22. The method of claim 21, further comprising the steps 



a) setting n=Oa'^)+(-l)''"j J2+2(j2^); 

b) setting c=[(jt+(-l)^-''j2t)/nJ, where "[ J" denotes a 
function of returning the largest integer not larger than 
the value contained therein; 

c) setting d=[-j2t/nj; 

d) setting w=t-jiC+2j2d; 

e) setting z=-j2C-jid-(-l)^"''j2d; and 

f) returning w and z. 

23. The method of claim 16, wherein said step of gener- 
ating a base tau expansion, in non-adjacent form, of the 
result of step (i) is comprised of the steps of: 

a) setting i=0; 

b) setting t~0 if w is even, otherwise setting t ~l-z[((w- 
l+2z)/2) mod 2]; 

c) setting w-w-t,-; 

d) setting temp=w; 

e) setting w-(-l)^"°(temp/2)+z; 

f) setting z=(-temp)/2; and 

g) incrementing i by one and returning to step (b) if both 
w and z are not equal to zero, otherwise returning (t^-, 
tj-_i, . . . ,to) as the base tau expansion, in non- adjacent 
form, of the modular reduced t. 

24. The method of claim 16, wherein said step of multi- 
plying G by the result of step (j) is comprised of the steps of: 

a) computing T^t^G; 

b) decrementing i by one; 

c) setting T=tT, 

d) setting T-T+G if t,.-!; 

e) setting T=T-G if t^.=-l; and 

f) returning to step (b) for further processing if i=0, 
otherwise returning T as the product of G and the base 
tau expansion, in non-adjacent form, of the modular 
reduced t. 

25. The method of claim 18, wherein said step of gener- 
ating a base tau expansion, in non-adjacent form, of the 
result of step (f) is comprised of the steps of: 

a) setting i=0; 

b) setting b,=0 if w is even, otherwise setting b ~l-z[((w- 
l+2z)/2) mod 2]; 

c) setting w=w-b^.; 

d) setting temp=w; 

e) setting w«(-l)^""(temp/2)+z; 

f) setting z=(-temp)/2; and 

g) incrementing i by one and returning to step (b) if both 

w and z are not equal to zero, otherwise returning (b,-, 60 
t>,_i, . . - ,bo) as the base tau expansion, in non- adjacent 
form, of the modular reduced b. 

26. The method of claim 25, wherein said step of multi- 
plying G by the result of step (g) is comprised of the steps 
of: 
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a) computing B=b^-G; 

b) decrementing i by one; 

c) setting B-tB; 
5 d) setting B=B+G if b,-=l, 

e) setting B=B-G if b;-l; and 

f) returning to step (b) for further processing if i=0, 
otherwise returning B as the product of G and the base 
tau expansion, in non-adjacent form of the modular 

1^ reduced b. 

27. The method of claim 26, wherein said step of reducing 
t by mod (t^-l) in the form of w+zr is comprised of the 
steps of: 
^5 a) setting Lo=0; 

b) setting Li=l; 

c) setting i=2; 

d) setting L-(-l)^-"L;_i-2L,_2; 

e) determining whether or not i=m; 

f) incrementing i by one and returning to step (d) for 
further processing if i^m in step (e); and 

g) setting j^«-2L^_i-l, setting j2=L,, and returning jj and 
j2 if i=m in step (e). 

25 28. The method of claim 27, further comprising the steps 
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of: 

a) setting n:=(j^2)+(-l)^-^jj2+2(j2^2); 

b) setting c=[Git+(-l)^"''j2t)/nJ, where "[ J" denotes a 
function of returning the largest integer not larger than 
the value contained therein; 

c) setting d«[-j2t/nj; 

d) setting w=t-jiC+2j2d; 

e) setting z=-j2C-jid d-(-iy"'j2d; and 

f) retuming w and z. 

29. The method of claim 28, wherein said step of gener- 
ating a base tau expansion in non-adjacent form, of the result 
of step (i) is comprised of the steps of: 

a) setting, i=0; 

b) setting t,--0 if w is even, otherwise setting t,-l-z[((w- 
l+2z)/2) mod 2]; 

c) setting w=w-t^; 

d) setting temp«w; 

e) setting w=(-l)^"'(temp/2)+z; 

f) setting z=(-temp)/2; and 

g) incrementing i by one and returning to step (b) if both 
w and z are not equal to zero, otherwise returning (t,-, 
U-iJ ■ ■ • ?to) the base tau expansion, in non-adjacent 
form, of the modular reduced t. 

30. The method of claim 29, wherein said step of multi- 
plying G by the result of step (j) is comprised of the steps of: 

a) computing T=t,.G; 

b) decrementing i by one; 

c) setting T=tT; 

d) setting T=T+G if t,-=l; 

e) setting T-T-G if t,— 1; and 

f) returning to step (b) for further processing if i«0, 
otherwise retuming T as the product of G and the base 
tau expansion, in non-adjacent form, of the modular 
reduced t. 
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